Firewall Agent is a Ruby DSL for IPTables, designed to simplify firewall configuration for clouds and clusters, especially when hosted by 3rd party VPS services.
Human readable/writable policy files
Dynamic policy updates
Written in Ruby
What Are Dynamic Policy Updates? IPTables uses a static configuration file to specify the ports, hosts and connections allowed through the firewall. Firewall-agent with Dynamic Policy Updates allows you to go beyond static files to update your policy file as needed, based on changing network conditions, dynamic host or service lists, or time-based criteria. The policy examples below explain some of these applications in more detail.
sudo gem install powcloud-firewall-agent sudo firewall-agent bootstrap sudo firewall-agent
The command 'firewall-agent bootstrap' creates a policy.rb file in the /etc/firewall-agent directory using the same 'standard' policy shown in this README. You can edit this file to your needs or create custom policy files. To pass a custom policy to the firewall-agent at startup, use this syntax:
sudo firewall-agent <path-to-my-policy-file.rb>
To Run as a Service (TBD)
service start firewall-agent
Writing a Policy File
Policy files are simple ruby files, and as such, can utilize the complete ruby syntax, requires, etc. Policy files are required to have a 'policy' block. To get started create a policy file using one of the templates below, then customize it to your needs.
policy :standard_policy do deny_all # deny all connections from all hosts allow_listen 'http' # let HTTP connections in allow_established # allow all established TCP connections allow_ping # let any host ping this server allow_ssh # allow SSH connections end
policy :dynamic_policy do deny_all allow_listen 'http', 'https' # list multiple services or ports as needed # Firewall-agent will whitelist all slices in your account, enabling a Virtual Private Network for your slices update :each => 5.minutes do allow_ips slicehost_get_ips('https://email@example.com/') end allow_established allow_ping allow_ssh end
Super Advanced Policy
require 'resolve' policy :advanced_policy do deny_all allow_listen 'http', 'https' update :each => 5.minutes do allow_ips slicehost_get_ips('https://firstname.lastname@example.org/') end # 3 different schedules for different types of policy elements # this block will enable you to always access all services on # this host - even when your IP changes, via a Dynamic DNS service update :each => 10.minutes do allow_ips Resolv.getaddress('your-desktop.dyndns.org') allow_ips Resolv.getaddress('your-laptop.dyndns.org') end # disable printing using CUPS/IPP outside of business hours update :each => 1.minutes do now = Time.now allow_listen 631 unless now.hour < 8 || now.hour > 18 end allow_established allow_ping allow_ssh end
Extending Firewall Agent
Firewall-agent includes a sample extension for Slicehost VPS users. The extension uses the Slicehost API to get a list of all slices in your account, then updates the policy to allow access from any of these nodes - for all ports - on the firewall-agent host. You can use this as a model to create similar extensions for other VPS providers such as Linode, etc.
In addition, we believe there are many opportunities for extensions to integrate dynamic whitelist and blacklist services. Please share your creations with the community. Well documented and tested extensions will be added to the firewall-agent core - please contact us on GitHub.
Note on Patches/Pull Requests
Fork the project.
Make your feature addition or bug fix.
Add tests for it. This is important so I don't break it in a future version unintentionally.
Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
Send me a pull request. Bonus points for topic branches.
Licensed under the MIT license: www.opensource.org/licenses/mit-license.php
COPYRIGHT 2010 POWCLOUD INC.